Sheep vs. sheep: BlackSheep detects Firesheep

Late last month I wrote about Firesheep, a Firefox plug-in that makes it ridiculously easy to hijack someone else’s Web session. Those who access popular sites such as Twitter or Facebook via insecure connections could find their accounts have been accessed via Firesheep on public Wi-Fi networks.

There are certain things you can do to protect yourself, and the two links in the paragraph above contain suggestions, including using a VPN service when you’re on a public network and installing the HTTPS Everywhere plug-in in Firefox to ensure you are connected securely when the https protocol is available.

Now, you’ve got one other tool that can help. On Monday, Zscaler released BlackSheep, a Firefox plug-in that can alert you when Firesheep is being used on a network.

When you install BlackSheep in Firefox, it begins looking for Firesheep activity on the network. If Firesheep is found, you’ll get a warning in the browser.

To understand how BlackSheep works, we first need to understand the details of FireSheep. FireSheep listens to the HTTP traffic on port 80. When it identifies a transaction to a known site (Facebook, Google, Yahoo!, etc.), it looks for specific cookie values which are then used to identify a specific user. This phase of the attack cannot be detected as it is done passively.

When FireSheep identifies a user session, it then makes a request to the same site using the user’s cookie values in order to retrieve user information such as their name, picture, etc. This active network activity is however visible to others on the local network.

BlackSheep detects the active connection made by Firesheep. It does this by making HTTP requests to random sites handled by FireSheep every 5 minutes (configurable) with fake values. BlackSheep then listens to all HTTP requests on the network to detect if somebody else is using the same fake values.

In fact, BlackSheep even uses the same source code as Firesheep, Sobrier says.

And if you have installed Firesheep, you’ll want to disable it before installing BlackSheep. Otherwise, BlackSheep will detect your own instance of Firesheep and give a false positive.

BlackSheep only works in Firefox – there are no Chrome, Safari or Internet Explorer versions – and it only works on Mac OS X and Windows. (Windows users will also need to install Winpcap.) There’s no support for Linux at the moment.

Keep this in mind, however – BlackSheep doesn’t actually protect you from hackery.. BlackSheep only alerts you to Firesheep’s presence. Once you know someone on the network is using Firesheep, it’s up to you to take action to protect yourself. If you’re in a public place, that may include packing up your gear and getting off the network.